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The invention relates to a conditional access appaiatus and a method of 
providing conditional access. 



5 



MPEG transport streams provide for conditional access. These streams contain 



encrypted data and messages that enable the decryption of the encrypted data. The messages 
include so-called ECM*s (Entitlement Control Messages) that contain control words for 
decrypting the encrypted data. The control words are continuously updated , making it 
necessary to inchide a stream of ECM's with the encrypted data. The control words in the 
1 0 ECMs themselves are encrypted using an authorization k^. The messages also include so- 
called EMM'S (Entitlement Management Messages) that contain the authorization keys. The 
EMM'S are encrypted with user specific keys. This means that dififerent EMM'S have to be 
broadcast for different users. As a result an EMM for a specific user can only be broadcast 
in&equently. 

1 5 Conditional access allows a service provider to broadcast media information in 

such a way that only authorized users (paying subscribers) are able to decrypt the encrypted 
data. To do so the service provider provides each user with a receiving device. The receiving 
device contains a secure device that is capable of decrypting the EMM'S for the user, so as to 
allow the receiving device to decrypt the ECM's broadcast by the service provider and 

20 thereby in turn to decode the encrypted data. The service provider strongly protects the 
secure device (typically a smart card) against tampering, such as illegal access to obtain 
copies of the key that is needed to decrypt the EMM'S. 



its own provider specific decoders, secure devices and broadcast channels. Mixing the 
25 systems involves the risk of compromising access security. For example, if different service 
providers would supply authorization keys under different conditions the subscribers could 
manipulate authorization key selection. Since EMM's can only be broadcast infrequently any 
error uai the supply of authorization keys can only be corrected afte a relatively long time. 
However the security of using separate systems is inefficient for example in terms of 



Different service providers typically each operate their own system, each with 
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bandwidth usage. Double bandwidth is needed when different service providers broadcast the 
same information to their respective subscribers, for example when the service providers 
service in different area's that are capable of receiving the same signal. 

To improve the efficiency without any long term risk of less security it bas 
S been known to broadcast a single stream of encrypted data accompanied with a plurality of 
streams of messages, each fiom a difiG^rent service provider, each stream containing BCMs 
and EMM'S for decrypting the encrypted data. Thus, the subscribers of all of the service 
providers are enabled to decrypt the same encrypted data. At the same time security need not 

be c o m p romised because each se r vice p r o vider provides the control words with his o wn 

-to E^l^S7~Any4apse-in-seeurity-4s^rreeted4>y'^e-next-change<)fH3 

typically every 10 seconds. 

It is increasiagly becoming cost effective for subscribers to provide 
conditional access devices with storage devices such as hard disks for storing conditionally 
accessible information. The storage device can be used for time-shifted viewing and for 
IS multiple viewing. Such use adds additional value to &e conditional access device and 

therefore it would be desirable that the service provider could exercise control over r^lay. 
Replay also leads to difSculties, for exanq)le when the authorization key is changed between 
the time when the encrypted data and the ECM*s are stored and the time when they are 
replayed. This means that the authorization key has to be changed back to an old 
20 authorization key. 

Amongst others, it is an object of the invention to allow service providers to exercise a more 
flexible control over conditional access. 

The invention provides for an ai^paiatus as set forOi in claim 1 . According to 
25 the invention a signal with a plurality of streams of messages with decryption information for 
die same encrypted data is used. The apparatus provides access to the encrypted data using 
different streams of messages in different modes of operation. For example, one stream of 
messages may be used to decrypt the data during live rendering of the data and another 
stream of messages may be used to decrypt the same data during rendering of a replayed 
30 signal. Yet another stream of messages may be used during transcoding, when the apparatus 
decrjHpts the same data in order to reduce its compression rate. 

The service provider broadcasts the signal with the encrypted data and a 
plurality of streams of messages with decryption information, so that each stream of 
messages can be used independentiy of the other to decrypt the data. Each decryption device 
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is authorized to decrypt the data vaih one of a set of possible authorizatioiis, which includes 
one or more authorizations to use messages fipom any one of a combmation of streams tliat is 
particular to the device. Preferably the set also includes authorizations to use a single stream, 
for live replay for example. Aiifhorization is realized by supplying the relevant authorization 
5 keys, for example in EMM'Sy but also possibly via additional channels such as via the 

internet Thus, one device may be authorized for example to use only the stream of messages 
used in the live rendering mode, allowing the device only to perform live rendering only. 
Another device may be authorized to use the stream for live rendering and the stream for 
replay, allowing the device to perform both modes of rendering. 
10 The service provide may use different time points to change the authorization 

of the use of different ones of the streams of messages. The authorization of messages for &e 
replay mode for example may be for signals broadcast during a certain period, "sfAiile the 
authorization of messages far the live rendering mode are regularly replaced. 

15 

These and otiier advantageous aspects of the apparatus and method according 
to the invention will be described in more detail using the following figures. 



20 Figure 1 shows an £^paratus for providing conditional access to encrypted 

Figure 2 illustrates a signal with a plurality of streams of messages; 
Figure 3 shows a signal distribution system. 

25 

Figure 1 shows an apparatus for providing conditional access to encrypted 
data. The apparatus has an input 1 1 for receiving a signal that contains the encrypted data, a 
multiplexer 10, a data decoder 12 and a rendering unit 14 coupled in cascade. Furthermore 
the apparatus contains a mode selection unit 1 6, a secure device 17, a recording preprocessor 
30 18 and a storage device 19. The mode selection unit 16 is coupled to control inputs of secure 
device 17, multiplexer 10, storage device 19, and rendering unit 14. Secure device 17 is 
coupled to an output of multiplexer 10 together with data decoder 12. Secure device 17 has a 
control word output coupled to a control word input of data decoder 12. Input 1 1 is coupled 
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to storage device 19 via storage pre-processor 18. Storage device 19 has a replay oix^ut 
coupled to multiplexer 10. 

In operation the apparatus processes conditional access signals such as MPEG 
streams. Data decoder 12 and secure device 17 together operate as a conditional access 
5 decode that is cc^able of decrypting data firom the signal, provided that an appropriate 

authorization key is present en entitled to be used in secure device 17. The apparatus operates 
in a selectable one of a number of operating modes. Mode selection imit 16 selects the 
operating mode and instructs the remainder of the apparatus to operate in the selected mode. 

Two - opemting modoo will bo illuotratod: a live rendering modo and a replay m ode; 

-10 ^-the-ltve-rendering-mode-a-signalreceived at-iflput-444s-passedt0-data 

decoder 12 by multiplexer 10. Data decoder 12 decrypts data from the signal and passes the 
decrypted data to rendering device 14. Rendering device 14 contains for example a display 
screen to display video data if the encrypted data represents a video signal. In the live 
rendering mode, mode selection unit 16 commands multiplexer 10 to pass the signal firom 
IS input 1 1 to data decoder 12 and secure device 17. Mode selection tmit 16 commands secxne 
device 17 to extract deciyption information from messages for live rendering firom the signal 
and secure device 17 passes control words obtained from the messages to data decoder 12 to 
decode the encrypted data from the signal. 

In the replay mode a signal stoied in storage device 19 is retrieved and passed 

20 to data decoder 12 by multiplexer 10. Data decoder 12 decrypts data from the signal and 

passes the decrypted data to rendering device 14. In the replay mode, mode selection unit 16 
commands multiplexer 10 to pass fte signal from storage device 19 to data decoder 12 and 
secure device 17. Mode selection unit 16 commands stor^e device 19 to replay the data, 
mode selection unit 16 conamands multiplexer 10 to pass data from storage device 19 and 

25 mode selection unit 16 commands secure device 17 to extract decryption information from 
messages for replay from the signal. Secure device 17 passes control words obtained from tixe 
messages to data decoder 12 to decode the encrypted data from the signal. 

Figure 2 illustrates a signal 24 as received at input 1 1 . The signal is for 
example an MPEG transport stream. The signal contains encrypted data and messages 20, 22 

30 with decryption mformation (for example ECM*s: Entitlement Control Messages). The signal 
progresses as a function of time, shown from left to right Time is divided into successive 
time intervals 26a,b. In each time mterval 26a,b the encrypted data is encrypted in a difGerent 
way and data decoder 12 needs a different control word to decrypt the data from each time- 
interval respectively. In an MPEG transport stream for example the time intervals last 
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typically 10 seconds. The contiol words aie included in messages 20, 22 in signal 24. In 
principle a plurality of messages with flie same control word (or control words) is included in 
the stream for each time interval 26a9b (the number of messages is only shown symbolically, 
in an MPEG stream for exaziq>le an BCM is transmitted approxunately every 0.1 second). 
5 More particularly, each ECM contains two control words, one control word for decrypting 
current data and a next future control word for decrypting data after the next change of 
control word. The data is accompanied by indicators to indicate which control word shoiild 
be used. 

The control words in the messages 22, 24 are encrypted. Secure device 17 

10 decrypts the control words from part of the messages 22, 24 and supplies the currently 

needed decrypted control words to data decoder 12 to control decoding of the encrypted data 
from the signal. The control word supplied by secure device 17 changes at the start of each 
new time interval 26a,b in which a new control word is needed. 

Figure 2 shows a plurality of streams of messages 20, 22 with the same control 

IS words. A first stream contains first messages 20 and a second stream contains second 
inessages 22. Each particular stream corresponds to a different authorization key that is 
needed to decrypt the control words fix>m the messages 20, 22 in tiie particular stream. Any 
one of the streams of messages 20, 22 on its own sufBces to decrypt the control words for 
decrypting the encrypted data. Mode control unit 16 instructs secure device 17 as to \^ch 

20 stream of messages 20, 22 should be used, dependent on the selected operating mode. In the 
live rendering mode for example the first stream of messages 20 may be used and m tiie 
rqplay mode tiie second stream of messages 22 may be used, provided that the corresponding 
authorization key is present and entitled in secure device 17. Thus, each operating mode is 
^labled by possession of a different authoii^ition key in secure device 17. 

25 Secure device 17 may use any way to select the appropriate messages firom the 

signal. In one embodiment each message with decryption information contains an identifier 
to indicate the stream to which the messs^e belongs. In this case, secure device needs only to 
decrypt control words from the messages the carry the identifier of the stream that is selected 
for the mode indicated by mode selection unit 16. 

30 Mode control unit preferably has a Tiser interface (not shown) for selecting the 

operating mode. In addition the user interface may be used to command storage of a signal 
received at input 1 1 in storage device 19. In this case the signal may be pre-processed, for 
example by removing the messages 20 for the stream of messages that are intended for use 
during live rendering. Thxis, tamper resistance is improved, by ensuring that the messages 
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with decryption infonnation for decrypting live streams are absent altogether firom stored 
streams. 

Although the mvention has been illustrated in terms of a live rendering mode 
and a replay mode, additional modes may be used without deviating fix>m &e invention. 
S Some of these modes may use the same stream of messages as another one of the modes, or 
they may use a different stream of messages (not shown in figure 2). For example, flie 
apparatus may have a transcoding mode for a compressed video stream, such as an MPEG 
signal in which the encrypted data is decoded and the decoded data is transcoded, e.g. to 

convert - the data to a lowe r bit rate at a higher c o mpression latlo. In this caw a trausuudiug 

—1-0 unit-may^be-part-of rendering-deviee-Mrforexample-in-the-fornro or ii 

may be part of storage device 19 or it may be provided separately. Selection unit 16 
commands the transcoding unit to transcode the data and at the same time commands secure 
device 17 to use decryption infonnation firom a stream of messages that is associated with 
transcoding. 

IS Furthermore, although the invention has been illustrated using a multiplexer 

and a secure device which are controlled in common by tiie same control device, so that 
ECM selection and source selection are performed in common, it will be imderstood that 
such common control is not essential. The secure device may use detection of &e presence or 
absence of a specific stream of messages with decryption information to select an appropriate 

20 stream of messages. That is, it need not be directly controlled by the same control device as 
the multiplexer. For example, when messages wilh decryption information for decryption 
"live** streams are not stored with the stream, secure device may automatically select 
messages with decryption information for stored streams, if entitled to do so, when it receives 
information that is q>parently stored information because it lacks a stream of messages with 

25 decryption infimnation for "live" reception" 

Figure 3 shows a signal distribution system with a distribution xmit 30 and a 
plurality of apparatuses 32a-c of the type shown in figure 1 . The distribution unit 30 is 
coupled to the inputs 1 1 of the apparatuses 32a-c via a broadcast channel. In addition the 
distribution unit has couplings to the secure devices (not shown) in the respective 

30 apparatuses. These couplings may be temporary couplings via telephone lines or via tiie 
Internet. 

In operation the distribution system makes use of the fact that the apparatuses 
32a-c use different streams of messages to obtain Ihe control words for operation in difGsrent 
modes. Distribution unit 30 provides each apparatus 32a-c with its own specific combination 



• 
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of authorizadoii keys to decrypt difTerent streaxns of mess^es 20, 22 and thereby to operate 
in different modes. Thus different subsoibers, iising different ones of the apparatuses 30a-c 
may be enabled to operate different modes dependent on the payment of subscriber fees. The 
auQioiization key for replay from storage might be provided specifically on draiand ^en the 
S subscriber wants to view stored data. 
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CLAIMS: , 

la 04. 2002 



1 . An apparatus for processing a signal that contains, a stream of encrypted data 
and a plurality of individually identified streams of messages, each of the streams of 
messages containing decryption infoimation for decrypting a common part of tiie encrypted 
data, the spparatus comprising 

S - an ii^ut for the signal; 

- a storage device for storing and retrieving the signal or part of the signal; 
-a rendering unit; 

- a mode selection unit arranged to select an operating mode from a plurality of modes 
including a live rendering mode and a replay mode for rendering the signal Avith the 

10 rendering unit ^en received fix>m the input and when retrieved from the storage device 
respectively; 

- a decoder for decrypting the encrypted data using a selectable one of the streams of 
messages, if entitied to use said selectable one of the streams, the decoder selecting the 
stream of messages dependent on the selected operating mode. 

15 

2. An apparatus according to Claim 1 , the storage device being arranged to block 
out from the signal, during storage of the signal, at least one of the streams of messages other 
than the stream of messages that the decoder selects in the replay mode. 

20 3. An apparatus according to Claim 2, the decoder being arranged to detect the 

selected operating mode from the presence or absence of the at least one of die streams that is 
blocked out from the signal during storage. 

4. An apparatus according to Claim 1, wherein the apparatus comprises a 

25 transcoder, the plurality of modes including a transcoding mode, the apparatus being 

arranged to transcode the signal when the mode selection unit selects the transcoding mode. 



5 . A method of distributing a signal that contains a stream of encrypted data, die 

method comprising 
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- including a plurality of individually identified streams of messages with the stream, each of 
the streams of messages containing decryption information for decrypting a common part of 
the encrypted data; 

- distributing authorization information to receivers of the stream, providing each receiver 
S with a selected authorization, the authorizations being selected fix)m a set of authorizations 

that includes at least one authorization to use combinations of the streams of messages to 
decode the encrypted data, the authorization being selected depending on availability in the 
receiver of respective entitlements for respective ones of the authorizations. 



■40 6-. A^ignal distribution-^stemrferdistributing-arsignaHhat-cont ains ^ars 

encrypted data, the system comprising 

- a signal assembly unit that is arranged to include a plurality of mdividxially identified 

streams of messages with the stream, each of the streams of messages containing decryption ' 
information for decrypting a common part of the encrypted data; 
IS -a transmission unit for broadcasting the assembled signal; 

- an authorization information distribution unit, for distributing authorization information to 
receivers of the stream, providing each receiver with a selected authorization, the 
authorizations being selected fix)m a set of authorizations that includes at least one 
audiorization to use combinations of the streams of messages to decode the encrypted data, 

20 the authorization being selected depending on availability in the receiver of respective 
entitlements for respective ones of authorizations. 
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ABSTRACT: 



A signal (24) that contains a stream of encrypted data and a plurality of 



individually identified streams (20, 22) of mess^es. Each of the streams (20, 22) of 
messages contains decryption infonnation for decrypting a common part of the encrypted 
data. In a receiving and recording apparatus a mode selection unit (16) selects an operatixig 
5 mode fiom aplurality of modes including a live rendering mode and areplay mode for 
rendering the signal vdth a rendering unit (14) i^ien received live and vdien replayed from 
storage respectively. A decoder (14) decrypts the encrypted data using a selectable one of the 
streams of messages. The decoder (14) selects the stream of messages dependent on the 
selected operating mode. 
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